Re: [Users] Otopi pre-seeded answers and firewall settings

25 Mar 2014

      --_64b96cf8-fdd4-4df4-bf3e-459817379ccc_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi Joshua=2C
many thanks for your suggestion which I suppose would work perfectly=2C but=
 I actually want iptables (CentOS 6.5 here=2C so no firewalld) rules in pla=
ce all the time=2C but only "MY OWN" iptables rules =3B>

Regards=2C
Giuseppe

Date: Tue=2C 25 Mar 2014 18:04:04 -0400
Subject: Re: [Users] Otopi pre-seeded answers and firewall settings
From: josh@wrale.com
To: giuseppe.ragusa@hotmail.com

Perhaps you could add the iptables and firewalld packages to yum.conf as ex=
cludes.  I don't know if this would fail silently=2C but if so=2C the engin=
e installer would never know.

Thanks=2C
=0A=
Joshua

On Tue=2C Mar 25=2C 2014 at 5:49 PM=2C Giuseppe Ragusa <giuseppe.ragusa@hot=
mail.com> wrote:
=0A=
=0A=
=0A=
=0A=
Hi Didi=2C
many thanks for your invaluable help!

I'll try your suggestion (/etc/ovirt-host-deploy.conf.d/99-prevent-iptables=
.conf) asap and then I will report back.

By the way: I have a really custom iptables setup (multiple separated netwo=
rks on hypervisor hosts)=2C so I suppose it's best to hand tune firewall ru=
les and then leave them alone (I pre-configure them=2C so the setup procedu=
re won't be impeded in its communication needs anyway AND I will always gua=
rantee the most stringent filtering possible with default deny ecc.).
=0A=

Many thanks again=2C
Giuseppe

Date: Tue=2C 25 Mar 2014 04:05:33 -0400
From: didi@redhat.com
To: giuseppe.ragusa@hotmail.com
=0A=
CC: users@ovirt.org
Subject: Re: [Users] Otopi pre-seeded answers and firewall settings

=0A=
From: "Giuseppe Ragusa" <giuseppe.ragusa@hotmail.com>
=0A=
To: "Yedidyah Bar David" <didi@redhat.com>
Cc: "Users@ovirt.org" <users@ovirt.org>
=0A=
Sent: Tuesday=2C March 25=2C 2014 1:53:20 AM
Subject: RE: [Users] Otopi pre-seeded answers and firewall settings

Hi Didi=2C
I found the references to NETWORK/iptablesEnable in my engine logs (/var/lo=
g/ovirt-engine/host-deploy/ovirt-*.log)=2C but it didn't seem to work after=
 all.
=0A=

Full logs attached.

I resurrected my Engine by rebooting the (still only) host=2C then restarti=
ng ovirt-ha-agent (at startup the agent failed while trying to launch vdsm=
=2C but I found vdsm running and so tried manually...).=0A=

OK=2C so it's host-deploy that's doing that.But it's not host-deploy itself=
 - it's the engine that is talking to it=2C asking it to configure iptables=
.I don't know how to make the agent don't do that. I searched a bit the sou=
rces (which I don't know)=0A=
and didn't find a simple way.
You can=2C however=2C try to override this by:# mkdir -p /etc/ovirt-host-de=
ploy.conf.d# echo '[environment:enforce]' > /etc/ovirt-host-deploy.conf.d/9=
9-prevent-iptables.conf=0A=
# echo 'NETWORK/iptablesEnable=3Dbool:False' >> /etc/ovirt-host-deploy.conf=
.d/99-prevent-iptables.conf
Never tried that=2C and not sure it's recommended - if it does work=2C it m=
eans that host-deploy will not=0A=
update iptables=2C but the engine will think it did. So it's better to find=
 a way to make the engine not dothat. Or=2C better yet=2C that you'll expla=
in why you need this and somehow make the engine do what you want...=0A=
-- Didi
 		 	   		  =0A=

_______________________________________________
=0A=
Users mailing list
=0A=
Users@ovirt.org
=0A=
http://lists.ovirt.org/mailman/listinfo/users
=0A=

 		 	   		  =

--_64b96cf8-fdd4-4df4-bf3e-459817379ccc_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 12pt=3B
font-family:Calibri
}
--></style></head>
<body class=3D'hmmessage'><div dir=3D'ltr'>Hi Joshua=2C<br>many thanks for =
your suggestion which I suppose would work perfectly=2C but I actually want=
 iptables (CentOS 6.5 here=2C so no firewalld) rules in place all the time=
=2C but only "MY OWN" iptables rules =3B>=3B<br><br>Regards=2C<br>Giusepp=
e<br><br><div><hr id=3D"stopSpelling">Date: Tue=2C 25 Mar 2014 18:04:04 -04=
00<br>Subject: Re: [Users] Otopi pre-seeded answers and firewall settings<b=
r>From: josh@wrale.com<br>To: giuseppe.ragusa@hotmail.com<br><br><div dir=
=3D"ltr"><div>Perhaps you could add the iptables and firewalld packages to =
yum.conf as excludes. =3B I don't know if this would fail silently=2C b=
ut if so=2C the engine installer would never know.<br><br></div>Thanks=2C<b=
r>=0A=
Joshua<br></div><div class=3D"ecxgmail_extra"><br><br><div class=3D"ecxgmai=
l_quote">On Tue=2C Mar 25=2C 2014 at 5:49 PM=2C Giuseppe Ragusa <span dir=
=3D"ltr"><=3B<a href=3D"mailto:giuseppe.ragusa@hotmail.com" target=3D"_bl=
ank">giuseppe.ragusa@hotmail.com</a>>=3B</span> wrote:<br>=0A=
<blockquote class=3D"ecxgmail_quote" style=3D"border-left:1px #ccc solid=3B=
padding-left:1ex=3B">=0A=
=0A=
=0A=
<div><div dir=3D"ltr">Hi Didi=2C<br>many thanks for your invaluable help!<b=
r><br>I'll try your suggestion (/etc/ovirt-host-deploy.conf.d/99-prevent-ip=
tables.conf) asap and then I will report back.<br><br>By the way: I have a =
really custom iptables setup (multiple separated networks on hypervisor hos=
ts)=2C so I suppose it's best to hand tune firewall rules and then leave th=
em alone (I pre-configure them=2C so the setup procedure won't be impeded i=
n its communication needs anyway AND I will always guarantee the most strin=
gent filtering possible with default deny ecc.).<br>=0A=
<br>Many thanks again=2C<br>Giuseppe<br><br><div><hr>Date: Tue=2C 25 Mar 20=
14 04:05:33 -0400<br>From: <a href=3D"mailto:didi@redhat.com" target=3D"_bl=
ank">didi@redhat.com</a><br>To: <a href=3D"mailto:giuseppe.ragusa@hotmail.c=
om" target=3D"_blank">giuseppe.ragusa@hotmail.com</a><br>=0A=
CC: <a href=3D"mailto:users@ovirt.org" target=3D"_blank">users@ovirt.org</a=
...
<br>Subject: Re: [Users] Otopi pre-seeded answers and firewall settings<br=
<br><div style=3D"font-size:12pt=3Bfont-family:times new roman=2Cnew york=
=2Ctimes=2Cserif=3B">=0A=
<div></div><blockquote style=3D"padding-left:5px=3Bfont-size:12pt=3Bfont-st=
yle:normal=3Bfont-family:Helvetica=2CArial=2Csans-serif=3Btext-decoration:n=
one=3Bfont-weight:normal=3Bborder-left:2px solid #1010ff=3B"><b>From: </b>"=
Giuseppe Ragusa" <=3B<a href=3D"mailto:giuseppe.ragusa@hotmail.com" targe=
t=3D"_blank">giuseppe.ragusa@hotmail.com</a>>=3B<br>=0A=
<b>To: </b>"Yedidyah Bar David" <=3B<a href=3D"mailto:didi@redhat.com" ta=
rget=3D"_blank">didi@redhat.com</a>>=3B<br><b>Cc: </b>"<a href=3D"mailto:=
Users@ovirt.org" target=3D"_blank">Users@ovirt.org</a>" <=3B<a href=3D"ma=
ilto:users@ovirt.org" target=3D"_blank">users@ovirt.org</a>>=3B<br>=0A=
<b>Sent: </b>Tuesday=2C March 25=2C 2014 1:53:20 AM<br><b>Subject: </b>RE: =
[Users] Otopi pre-seeded answers and firewall settings<br><div><br></div><d=
iv dir=3D"ltr">Hi Didi=2C<br>I found the references to NETWORK/iptablesEnab=
le in my engine logs (/var/log/ovirt-engine/host-deploy/ovirt-*.log)=2C but=
 it didn't seem to work after all.<br>=0A=
<div><br></div>Full logs attached.<br><div><br></div>I resurrected my Engin=
e by rebooting the (still only) host=2C then restarting ovirt-ha-agent (at =
startup the agent failed while trying to launch vdsm=2C but I found vdsm ru=
nning and so tried manually...).</div>=0A=
</blockquote><div><br></div><div>OK=2C so it's host-deploy that's doing tha=
t.</div><div>But it's not host-deploy itself - it's the engine that is talk=
ing to it=2C asking it to configure iptables.</div><div>I don't know how to=
 make the agent don't do that. I searched a bit the sources (which I don't =
know)</div>=0A=
<div>and didn't find a simple way.</div><div><br></div><div>You can=2C howe=
ver=2C try to override this by:</div><div># mkdir -p /etc/ovirt-host-deploy=
.conf.d</div><div># echo '[environment:enforce]' >=3B =3B/etc/ovirt-h=
ost-deploy.conf.d/99-prevent-iptables.conf</div>=0A=
<div># echo 'NETWORK/iptablesEnable=3Dbool:False' >=3B>=3B =3B/etc/=
ovirt-host-deploy.conf.d/99-prevent-iptables.conf</div><div><br></div><div>=
Never tried that=2C and not sure it's recommended - if it does work=2C it m=
eans that host-deploy will not</div>=0A=
<div>update iptables=2C but the engine will think it did. So it's better to=
 find a way to make the engine not do</div><div>that. Or=2C better yet=2C t=
hat you'll explain why you need this and somehow make the engine do what yo=
u want...</div>=0A=
<span class=3D"ecxHOEnZb"><font color=3D"#888888"><div><span style=3D"font-=
size:12pt=3B">-- =3B</span></div><div>Didi</div><div><br></div></font><=
/span></div></div> 		 	   		  </div></div>=0A=
<br>_______________________________________________<br>=0A=
Users mailing list<br>=0A=
<a href=3D"mailto:Users@ovirt.org">Users@ovirt.org</a><br>=0A=
<a href=3D"http://lists.ovirt.org/mailman/listinfo/users" target=3D"_blank"=
http://lists.ovirt.org/mailman/listinfo/users</a><br>=0A=
<br></blockquote></div><br></div></div> 		 	   		  </div></body>
</html>=
--_64b96cf8-fdd4-4df4-bf3e-459817379ccc_--